Recent years have witnessed a surge in popularity of the Internet. Access by home users, small businesses, large corporations, universities and government agencies continues to increase at a rapid rate.
Generally speaking, the Internet may be considered as the interconnection of a large number of local, regional or global networks interconnected using one of several global backbone communications routes, with access provided by Internet service providers (ISPs) or direct network-to-network connection (typically for large users). Access to ISP networks is typically accomplished using the well-known Internet Protocol (IP) through ISP points of presence (POPS) in many different locations around the country, thus permitting customers to have local dial-in access or a short leased-line access. After gaining access to an ISP users have access to the Internet, usually through a hierarchy of local access providers and other network service providers. Increasingly, access is available through a variety of broadband access technologies, such as “always-on” cable and DSL modems connected over CATV cable facilities or local telephone lines at data rates many times higher than dial-up telephone links.
Another aspect of evolving networking needs of corporate and other data communications users relates to the mobility of employees, customers and suppliers requiring access to headquarters or branch locations of an enterprise. Home office and temporary access to corporate networks, including access from hotels and offices of customers, suppliers and others is of increasing importance to many network users and operators.
Still further, another aspect of evolving networking needs includes e-commerce applications, the transfer of transaction information between two or more parties, such as customers and businesses. Such transactions could include financial transfers, personal information transfers, such as credit card numbers, birth dates, social security numbers, health information, insurance information, and banking information, and the like.
Such widespread use and access, including temporary, mobile or remote access, has raised concerns by many for the security of transmissions over the public links of the Internet. Consumers are often unwilling to provide personal or financial information over the Internet. Large corporations with extensive networking needs have in many cases preferred private networks for their typically large volumes of data to many different locations. It has proven relatively easier to provide security measures for insuring the integrity and privacy of communications between stations, or nodes, in private networks using a variety of data checking and encryption technologies.
For example, secure private networks are typically protected by firewalls that separate the private network from a public network. Firewalls ordinarily provide some combination of packet filtering, circuit gateway, and application gateway technology, insulating the private network from unwanted communications with the public network.
Encryption in private networks is illustratively performed using an encryption algorithm using one or more encryption keys, with the value of the key determining how the data is encrypted and decrypted. So-called public-key encryption systems use a key pair for each communicating entity. The key pair consists of an encryption key and a decryption key. The two keys are formed such that it is not feasible to generate the decryption key from the encryption key. Further, in public-key cryptography, each entity makes its encryption key public, while keeping its decryption key secret. When sending a message to node A, for example, the transmitting entity uses the public key of node A to encrypt the message; the message can only be decrypted by node A using its private key. Many other encryption algorithms are described in the literature. See, for example B. Schneier, Applied Cryptography—Protocols, Algorithms, and Source Code in C, John Wiley and Sons, New York, 1994.
Information regarding encryption keys and the manner of using them to encrypt data for a particular secure communications session is referred to as key exchange material. Key exchange material illustratively includes keys to be used and a time duration for which each key is valid. Both end stations in an end-to-end path must know key exchange material before encrypted data can be exchanged in a secure communications session. The manner of making key exchange material known to communicating stations for a given secure communications session is referred to as session key establishment.
Many of the integrity and privacy safeguards long employed in private networks have not always been available in networks involving at least some public network links. Yet, smaller users and, increasingly, large users have sought techniques for safely employing public networks to meet all or part of their communications network needs. Among the techniques employed to provide varying degrees of approximation to security advantages available in private networks while employing public links are so-called virtual private networks or VPNs.
Virtual private networks provide secure communications between network nodes by encapsulating and encrypting messages. Encapsulated messages are said to traverse a tunnel in a public network, and are encapsulated by a process of tunneling. Tunnels using encryption provide protected communications between users at network nodes separated by public network links, and may also be used to provide communications among a selected or authorized subset of users in a private network. Exemplary types of tunneling protocols include IP Security (IPSec), Layer 2 Tunneling Protocol (L2TP), and Point-to-Point Tunneling Protocol (PPTP).
In a VPN, a tunnel endpoint is the point at which any encryption/decryption and encapsulation/de-encapsulation (sometimes called decapsulation) is provided in a tunneling process. In existing systems, tunnel end points are predetermined network layer addresses. The source network layer address in a received message is used to determine the credentials of an entity that requests establishment of a tunnel connection. For example, a tunnel server uses the source network layer address to determine whether a requested tunnel connection is authorized. The source network layer address is also used to determine a cryptographic key or keys to be used to decrypt received messages.
Existing tunneling processing is typically performed by encapsulating encrypted network layer packets (also referred to as frames) at the network layer. Such systems provide network layer within network layer encapsulation of encrypted messages. Tunnels in existing systems are typically between firewall nodes that have statically allocated IP addresses. In such existing systems, the statically allocated IP address of the firewall is the address of a tunnel end point within the firewall. Existing systems that connect local-area networks (LANs) fail to provide a tunnel that can perform authorization for a node that must dynamically allocate its network layer address. This is especially problematic for a user wishing to establish a tunnel in a mobile computing environment for which an ISP allocates a dynamic IP address.
U.S. Pat. No. 6,101,543 issued Aug. 8, 2000 to K. H. Alden, et al., discloses techniques seeking to establish a tunnel using a virtual or so-called pseudo network adapter. In particular, Alden, et al., seeks to have a pseudo network adapter appear to the communications protocol stack as a physical device for providing a virtual private network having a dynamically determined end point to support a user in a mobile computing environment. The pseudo network adapter disclosed in Alden, et al. seeks to receive packets from the communications protocol stack and pass received packets back through the protocol stack either to a user or for transmission.
An important IP layer security architecture and protocol for use in networking over IP networks such as the Internet is described in S. Kent and R. Atkinson, “Security Architecture for the Internet Protocol,” IETF Network Working Group Request for Comments 2401, November 1998. The so-called IPsec protocols and processes described in that IETF document have proven useful in a number of contexts.
IPsec security measures may be implemented in hardware or software, or some combination thereof. For example, Nortel has developed a hardware referred to as CONTIVITY® to provide secure transmission of data over the Internet, particularly for branch office applications. In operation, the CONTIVITY® hardware is connected to a digital transmission link, such as a T1 line, and provides routing, firewall, bandwidth management, encryption, authentication, and data integrity for secure tunneling across managed IP networks and the Internet. In general, such hardware is often very large and very costly suitable for larger offices.
Security measures may also be implemented in software. For example, if a company wants to provide for secure communication between its branch offices, traveling employees or telecommuting employees, CONTIVITY® hardware can be located a central office and software can be provided to the branch offices and mobile employees. In this example, the employee software client is designed to encrypt and decrypt every packet being routed to and from the Internet, respectively.
In a PC using a Windows®-based operating system, software exists which runs the IP stack, existing code that processes all communications to and from the PC in a fixed sequence. The software client includes code that nests, or embeds, itself into the IP stack to perform the encryption and decryption of information being routed to and from the Internet. This nested code is often referred to as an IPsec software shim.
IP stack software shims are problematic because of the structure of the Windows®-based IP stack. Every time a new application is added to the sequence of a PC using a Windows®-based operating system, the IP stack is rewritten. When an IP stack is rewritten, the IPsec shim gone, i.e., it is no longer embedded within the IP stack. When the software shim is gone, the software client identifies the PC as being “under attack”, e.g., by a virus, because the IP stack has been changed. The software client then locks up the PC and prevents the user from accessing all of the software stored in memory on the computer.
Alternatively, even if the computer is not locked up, the alteration of the IP stack can interfere with the encryption/decryption process performed by the software shim. In other words, the user may mistakenly believe that encryption and decryption is being performed on transmitted and received packets, when in fact, no such encryption and decryption is being performed. This is particularly problematic because typical computer users are not experts in the maintenance of complex, error-prone operating systems, or the complex, error-prone applications that run upon them. Inexperienced users may casually add and delete software to and from his computer without understanding the damage being caused to the PC. Software maintained by novice computer users is not reliable for security purposes.
The use of nested, open Internet access options, with multiple Internet Service Providers (ISPs) between computer users and organizations, exacerbates these problems by injecting new points from which attacks may be launched and from which information may leak. In other words, the more ISPs a user avails itself of, the greater the chance that the user's PC will be compromised by Trojan-horses, viruses, zombies, etc. It is likely that a user owned and operated PC has already been hacked or compromised. Personal computers that have not yet been hacked remain vulnerable to hackers.
In addition to the problem of a user losing all of the information on his computer, another problem with this software shim solution exists. As a user implements more complex security procedures, more and more of the central processing unit is being allocated to such procedures. As a result, the performance of the computer will be sluggish. This is especially true if a user has a lightweight CPU with limited battery capabilities.
In addition to the security issues, many users experience difficulties in establishing reliable, secure connections for other reasons. Such difficulties arise, in part, because many configuration variables must be taken into account, such as whether the connection is for a single computer or for a LAN, whether a location is to be identified by a dynamic or static IP address, as well as the type of connection required. Thus, for example, a traveling employee may require access to a corporate headquarters network using a dial-up telephone line from a hotel, or a leased line connection from a supplier location. Many home or home office users will connect to the Internet through a dial-up line using an analog modem, while others will employ cable or DSL modem links. Each connection type and location may require specific configuration information that can be daunting to frequent travelers and can consume considerable time and effort even by those having considerable networking skills.
Other factors that must be dealt with in establishing connections from home, field office, hotel, and other mobile locations (such as wireless links from the field) relate to network address information to be employed for network, including Internet, access. An IP (Internet protocol) address represents a communications end point, but some network nodes, such as shared computer facilities at a company location may have many users per address or many addresses per user. A typical network node will be identified by a unique 32-bit IP address of the form 101.100.2.2. A router that directs information to various end hosts has an IP address such as “101.100.2.1”, where the last part will be a unique number identifying end hosts connected to the router. For example, for three hosts connected to such a router, these hosts may have IP addresses of 101.100.2.2, 101.100.2.3, and 101.100.2.4.
While occasional users may only require a temporary or dynamic address for each session, or transaction, with the same address being assigned to another user after the session or transaction is complete, many network nodes, such as those associated with a corporate host or network service provider require one or more permanent or static IP addresses. With a static IP address, authorized persons may direct traffic to or access information available at the static IP address at any time.
As will be readily perceived, there are many complexities and difficulties involved with connecting to and configuring a computer or LAN for communication through the Internet. Moreover, it will be appreciated that routers, including any at a customer location or at an ISP, must be configured correctly. At an ISP, a trained network operator is typically available for entering configuration information into a router, including the IP address of a customer, an account number, etc. Other configuration information that must be entered includes telephone numbers to dial, passwords, packet filter rules, LAN network information, domain name information, e-mail configuration, compression parameters and others.
Further, even when this is accomplished at an ISP, a customer must be made aware of this information, to permit manual entry of corresponding required information into networking equipment at a user location, e.g., to configure a router. For any but the simplest of connections, this process can prove tedious and error-prone. Further, a mobile user will be required to reconfigure his or her terminal or LAN for each new location, or access facility. It will be appreciated that connecting a LAN can be considerably more difficult than connecting a single computer node (host or client), as networked components may require specification of a variety of specific configuration parameters. Thus, parameters for network components, e.g, routers, firewalls, DNS servers and DHCP servers, and security mechanisms, must all be set correctly before the LAN can successfully communicate with the Internet.
As noted above, secure links present additional configuration and setup requirements, including, in appropriate cases, key exchange material and other tunnel configuration information. In prior work, a network adaptor and configuration procedure was employed that facilitates establishment of secure VPN tunnels, illustratively using an IPsec protocol, for a range of applications and uses. See, J. S. Denker, et al., “Moat: a Virtual Private Network Appliance and Services Platform,” Proc. 1999 LISA XIII—Nov. 7-12, 1999, Seattle.
From the foregoing it will be appreciated that automation of the configuration and setup of network nodes, including IP LAN network nodes, seeking to securely communicate over IP networks, such as the Internet, is highly desirable. Such automated configuration and setup of computers and other network elements is especially desirable for mobile users. It is likewise desired that a flexible access system and configuration process be provided for configuring a computer system for communication over IP networks.